Sunday, April 20, 2014

Apple's SSL/TLS bug (22 Feb 2014)

Lastly, there was a lot of discussion yesterday that Apple missed checking the hostname in the certificate. It's true that curl on the OS X command line oddly accepts HTTPS connections to IP addresses when the IP address isn't in the certificate, but I can't find that there's anything more than that and Safari doesn't have that problem.
The researchers who discovered Heartbleed said the bug could exist inside hundreds of millions of websites, based on the market share of the open-source software that uses OpenSSL. The number is closer to 500,000, because only a fraction of sites had the vulnerable functionality turned on, according to Netcraft, a cyber-security firm.
 ADAM LANGLEY from Google is mysterious person who discovered Heartbleed bug effects in Apple's OSs after it was patched on February 21st. 

From the point of view of a browser, Langley has seen many HTTPS sites getting it dreadfully wrong and, from the point of view of a server, he’s part of what is probably the largest HTTPS serving system in the world.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?